Date: Tue, 15 Oct 2002 12:14:11 +0700 From: Alain Fauconnet <alain@cscoms.net> To: snort-users@lists.sourceforge.net Cc: Prachid Tiyapanjanit <prachid@cscoms.net>, Kunos.Peter@PSZAF.hu, erek@theadamsfamily.net, freebsd-alpha@freebsd.org Subject: Re: [Snort-users] Segfault on Alpha 1.9.0 Message-ID: <20021015121411.J5886@cscoms.net> In-Reply-To: <20021015102920.F5886@cscoms.net>; from alain@cscoms.net on Tue, Oct 15, 2002 at 10:29:21AM %2B0700 References: <20021015102920.F5886@cscoms.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Following up to my own message about:
- SIGSEGV in Snort 1.9.0 on FreeBSD-alpha
- lots of "unaligned access" messages
[...]
> It looks like the argument passed to PreprocUrlDecode is wrong. It should
> be a valid (Packet *), which 0x1 can't be.
>
> (gdb) p p
> $3 = (Packet *) 0x1
>
Well, it looks like gdb has problem displaying the correct value
passed as the 'p' argument in many routines. This value showing as 0x1
is probably an artefact. Yes, FreeBSD 4.2 is old, this box needs an
upgrade.
It looks like this case was simpler than I thought:
Program received signal SIGSEGV, Segmentation fault.
0x120054888 in PreprocUrlDecode (p=0x1) at spp_http_decode.c:443
443 while(index < end && !lookup_whitespace[(u_int)(*index)])
(u_int)(*index) generates a value that is way beyond the allowed 0..255
range for index in lookup_whitespace, so in some cases it raises a SIGSEGV.
It could be because all this is Unicode stuff.
I've changed all (u_int) casts use to generate an index into lookup_whitespace
and lookup_hexvalue to (u_char) in spp_http_decode.c and that fixed
the SIGSEGVs for me (patch attached).
> I also have gadzillions of unaligned access warnings, all inside
> functions CheckSrcIP and CheckDstIP. I suspect a misaligned structure.
>
> pid 31358 (snort): unaligned access: va=0x120196032 pc=0x12002a210 ra=0x1200293e8 op=ldl
> pid 31358 (snort): unaligned access: va=0x120196036 pc=0x12002a428 ra=0x12002a280 op=ldl
Here, I've tried "uac -s" to debug the thing so that Snort gets a SIGBUS when
unaligned access occurs. Here's what I've got:
Program received signal SIGBUS, Bus error.
BuildPacket (s=0x12005b6f4, stream_size=301968392, p=0x120179970,
direction=301968672) at spp_stream4.c:3360
3360 stream_pkt->iph->ip_dst.s_addr = p->iph->ip_src.s_addr;
Can't look at the value of 'p', GDB obviously finds it wrong because the
value is different at one stack frame level upper:
(gdb) bt
#0 BuildPacket (s=0x12005b6f4, stream_size=301968392, p=0x120179970,
direction=301968672) at spp_stream4.c:3360
#1 0x12005a5c4 in FlushStream (s=0x12005a5c4, p=0x11ffabd8,
direction=538417520) at spp_stream4.c:3241
Let's see the instruction raising the exception:
(gdb) x/i $pc
0x12005ab5c <BuildPacket+412>: ldq t0,-28576(gp)
Registers:
(gdb) i r
v0 0x12018e01e 4833468446
t0 0x12018e026 4833468454
t1 0x11ffad20 301968672
t2 0x120163260 4833292896
t3 0x10450008ba07c420 1172343315480691744
t4 0xffff000000000000 -281474976710656
t5 0xffffffff 4294967295
t6 0x601053c2b000 105623241011200
t7 0x1045000800000000 1172343312359620608
s0 0x22 34
s1 0x3c 60
s2 0x120163230 4833292848
s3 0x120160000 4833280000
s4 0x120169fce 4833320910
s5 0x3 3
fp 0x11ffab88 301968264
a0 0x12018e01e 4833468446
a1 0x120163252 4833292882
a2 0x6 6
a3 0x120163258 4833292888
a4 0x12018e024 4833468452
a5 0xffffffffba1a8364 -1172667548
t8 0x160242678 5907949176
---Type <return> to continue, or q <return> to quit---
t9 0x1600893a8 5906142120
t10 0x55dc6 351686
t11 0x41c00 269312
ra 0x12005ab00 4832209664
t12 0x1602260c0 5907833024
at 0x160242678 5907949176
gp 0x12008b638 4832409144
sp 0x11ffab88 301968264
zero 0x0 0
pc 0x12005ab5c 4832209756
vfp 0x11ffabd8 301968344
I'm not fluent enough in Alpha machine code to debug this.
I assume that 'ldq' is load quadword, so the problem must be on the
right side of the assigment, when reading p->iph->ip_src.s_addr
The 'Packet' structure is obviously aligned up to 'iph' since there
are only pointers there. So it must be 'iph'? But it exactly maps the
IP header format, so there's little that can be changed here! The
source IP address in there is 32-bit aligned too.
Comments anyone? (I'll Cc: this to freebsd-alpha)
For now, "uac -p" in the Snort startup shell script will at least
avoid the annoying messages.
Greets,
_Alain_
--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="spp_http_decode.c.patch"
*** spp_http_decode.c Tue Oct 15 10:59:32 2002
--- spp_http_decode.c.org Tue Oct 15 10:56:52 2002
***************
*** 440,450 ****
psize = (u_int16_t) (p->dsize);
/* first skip past the HTTP method */
! while(index < end && !lookup_whitespace[(u_char)(*index)])
index++;
/* skip over whitespace seperator */
! while(index < end && lookup_whitespace[(u_char)(*index)])
index++;
/* evilness check */
--- 440,450 ----
psize = (u_int16_t) (p->dsize);
/* first skip past the HTTP method */
! while(index < end && !lookup_whitespace[(u_int)(*index)])
index++;
/* skip over whitespace seperator */
! while(index < end && lookup_whitespace[(u_int)(*index)])
index++;
/* evilness check */
***************
*** 506,512 ****
need the original packet data to stay around
do {
! if(*index == '%' || lookup_whitespace[(u_char)(*index)])
break;
if(*index == '?' && end_on_url_param)
break;
--- 506,512 ----
need the original packet data to stay around
do {
! if(*index == '%' || lookup_whitespace[(u_int)(*index)])
break;
if(*index == '?' && end_on_url_param)
break;
***************
*** 558,565 ****
"Double hex encoding received\n"););
}
! hex1=lookup_hexvalue[(u_char)(*(index+1))];
! hex2=lookup_hexvalue[(u_char)(*(index+2))];
if(hex1 != -1 && hex2 != -1)
{
--- 558,565 ----
"Double hex encoding received\n"););
}
! hex1=lookup_hexvalue[(u_int)(*(index+1))];
! hex2=lookup_hexvalue[(u_int)(*(index+2))];
if(hex1 != -1 && hex2 != -1)
{
***************
*** 608,614 ****
}
}
! else if(lookup_whitespace[(u_char)(*index)])
{
/* we've reached the delimiting whitespace */
/* UriBufs[0].http_version = (u_int8_t *) index; */
--- 608,614 ----
}
}
! else if(lookup_whitespace[(u_int)(*index)])
{
/* we've reached the delimiting whitespace */
/* UriBufs[0].http_version = (u_int8_t *) index; */
***************
*** 625,631 ****
while(index < end &&
((cur - (char *) UriBufs[0].uri) < URI_LENGTH))
{
! if(lookup_whitespace[(u_char)(*index)])
{
/* we've reached the delimiting whitespace */
/* Time to get HTTP version? */
--- 625,631 ----
while(index < end &&
((cur - (char *) UriBufs[0].uri) < URI_LENGTH))
{
! if(lookup_whitespace[(u_int)(*index)])
{
/* we've reached the delimiting whitespace */
/* Time to get HTTP version? */
--z6Eq5LdranGa6ru8--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-alpha" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021015121411.J5886>